WikiLeaks’ recent release of documents purported to be from the Central Intelligence Agency demonstrate the agency’s ability to bypass widely used enterprise security tools such as Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).
Unfortunately, the information in the document on EMET has been redacted by WikiLeaks, so we can’t say how the CIA is able to bypass the security tool.
Microsoft describes EMET as a “utility that helps prevent vulnerabilities in software from being successfully exploited … by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities.”
The security tool is particularly useful to Microsoft’s enterprise customers because it can take years to deploy new Windows versions in large-scale environments, leaving enterprises open to zero-day vulnerabilities. EMET was designed as a tool to stop zero-day attacks and other advanced attacks between OS upgrades.
The WikiLeaks revelations about the CIA’s bypass of EMET add to the list of organizations that have been able to circumvent its protections. In 2014, Bromium Labs announced that it had developed an exploit code that bypassed EMET 4.1. The researchers said that their bypass used “generic limitations” of the tool and were not “easily repaired.”
Last year, FireEye researchers disabled EMET by exploiting a function within the tool that is responsible for unloading it from the application once it has determined that the app is not malicious. “One simply needs to locate and call this function to completely disable" the security tool, the researchers explained.
Pulling the plug on EMET
These and other exploits, as well as beefed-up security protections in Windows 10, have prompted Microsoft to pull the plug on EMET. Microsoft originally planned to end support for the security tool in January, but decided to postpone its demise until July 31, 2018, in response to customer feedback.
In a blog post last November, Jeffrey Sutherland, principal lead program manager for OS security at Microsoft, said his firm had embedded EMET’s security features into Windows 10. These features include data execution prevention (DEP), address space layout randomization (ASLR), and control flow guard (CFG).
Sutherland cited a number of limitations to the EMET tool. First, it was not developed as a “robust security solution,” but rather as a “stop-gap solution” to block zero-day exploits between Windows updates. As a result, there are a number of “well-publicized bypasses available to get around EMET,” he noted.
Second, the security tool “hooks into low-level areas” of Windows, but the operating system was not designed for this type of use. This leads to degradation of performance and reliability of Windows and applications running on it. This causes an “ongoing problem for customers since every OS or application update can trigger performance and reliability issues due to incompatibility with EMET,” he wrote.
Third, EMET has not kept pace with the changes to Windows, particular Windows 10. While the latest version, 5.5x, can run on Windows 10, “its effectiveness against modern exploit kits has not been demonstrated, especially in comparison to the many innovations built-in to Windows 10.” So it’s time to sunset the security tool, Sutherland concluded.
Wait just a minute
Not so fast, said Will Dormann, senior vulnerability analyst at the CERT Coordination Center. In a blog post reacting to Microsoft's EMET decision, Dormann argued that Windows 10 “does not provide the additional protections that EMET does.”
The application-specific protections provided by EMET are where the real added value of the tool lies. “Because we cannot rely on all software vendors to produce code that uses all of the exploit mitigations available, EMET puts this control back in our hands,” Dormann noted. An application “running on a stock Windows 10 system does not have the same protections as one running on a Windows 10 system with EMET properly configured,” he added.
In an exclusive interview with TechGenix, Dormann said that enterprises should use the tool to protect themselves against certain classes of vulnerabilities. “The EMET tool is quite effective in helping to protect against exploitation of memory corruption vulnerabilities, which are an entire class of software bug,” he said.
Dormann criticized Microsoft for announcing the end of support for the security tool because some enterprises have decided not to deploy the tool or even to remove it if it had been deployed. “One of the most useful aspects of EMET is that I can take an application that is running on my system and I can tell EMET to give it extra protection…. If you simply upgrade to Windows 10, you don’t get” that capability, he said.
At the same time, Dormann agreed that integrated security protections in Windows 10 are “valuable,” but not all enterprise applications “opt into” these protections. By contrast, an administrator can use EMET to “force” an application to opt into security protections.
Windows 7 and EMET
As an example, Dormann said that he took a fully patched Windows 10 system and was able to exploit a vulnerability in the Firefox browser. “There was nothing about Windows 10 that stopped the Firefox exploit from working,” he observed. Yet, he was able to block that exploit using a Windows 7 system and EMET.
“This is a perfect example of how EMET can protect a system when the default mitigations that come with Windows 10 might not necessarily protect you,” Dormann said. With the security tool, “you are no longer at the mercy of the software developer to do the right things to protect you,” he added.
In addition, users aren’t necessarily rushing to upgrade to Windows 10. According to the latest stats from Net Market Share, close to half of PCs are still running Windows 7, while only one-quarter are running Windows 10. Enterprises are notoriously slow in upgrading due to the added cost, application compatibility issues, employee preferences, and other factors that discourage IT administrators from undertaking the massive project.
“You can’t assume that everyone is running the latest version of Windows 10 and the latest version of every app. That is not an accurate representation of how these systems work,” Dormann observed. “A properly configured system with EMET buys the IT administrators time … and minimizes the window of exposure” between the exploit of a vulnerability in the wild and the rollout of a fix for the vulnerability from the vendor, he stressed.
In sum, it seems that the CIA is not the only organization that can bypass the EMET tool. Even Microsoft recognizes its limitations and plans to end support for the tool next year. Yet, EMET still provides important protections for enterprise users that Windows 10 doesn’t provide. And since many enterprises aren’t running Windows 10 yet, EMET’s protections are even more important than ever for IT administrators and security pros.
Photo credit: CIA